Watson, I'm a little confused about what profile and tailored are supposed to be. For example, here is what I have in the %post of my kickstart:
%addon org_fedora_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa tailoring-path = ssg-rhel7-ds-tailoring-custom.xml %end I produced the ' ssg-rhel7-ds-tailoring-custom.xml' file using the scap-workbench tool after making changes. When I first start the customization off of the DISA profie, it defaults to the name 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized' like you're saying, but how does the system I'm loading know about this customized profile? The scap-workbench is on a system where I create the image but how doe a new system I'm loading with my image know anything about 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized'? That's why I'm asking if something more than the tailored-custom.xml file that needs to copied to the image. Does that make sense? On Fri, Apr 5, 2019 at 8:03 AM Watson Sato <[email protected]> wrote: > > > On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <[email protected]> wrote: > >> Thank you for the reply Watson! I discovered what your saying is exactly >> right. One thing I would add is that it needs to be copied there in the >> %pre section of kickstart. It took me a week to figure that out. Adding in >> the %post does not work... >> >> I'm still having issues however. Now that it seems to find my tailored >> file it doesn't seem to implementing some (or all) of my custom changes. >> For example, I need to keep X11 installed, so I exclude setting to have >> those packages removed but those files are getting removed anyway. >> >> Is the tailored file the only thing that needs to be copied? Is the >> profile need to be something other than >> 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be >> copied too? >> > > The value for profile should be the ID you specified when creating the > tailoring. SCAP Workbench by default adds "_customized" suffix. > In the customization file, it should be defined it in the "xccdf:Profile" > element in the attribute "id". > > If the default value suggested by SCAP Workbench was used, the profile ID > will be: > profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized > > >> >> On Apr 5, 2019, 6:38 AM -0500, Watson Sato <[email protected]>, wrote: >> >> Hello, >> >> On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <[email protected]> wrote: >> >>> I'm a new to this project and have always done my SCAP lock downs with >>> kickstart scripts up until now. This looks to be something I switched to a >>> long time ago. >>> >>> In the environment I work in, I need to make custom ISO installation >>> disks to send out to the field. I've been testing out the 'addon >>> xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and >>> then made a custom tailored XML following the guidelines keep a few things >>> on that were being removed. My problem is that now that I have my >>> 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image? >>> >> I've tried copying it in the post -nochroot section of my kickstart to >>> /tmp/openscap_data and /root/openscap_data and neither of those worked. >>> >> >> From what I see in the source code, the tailoring file needs to be in >> "/tmp/openscap_data". >> During the post install phase, the addon copies the file to >> "/root/openscap_data" and uses the tailoring from there. >> >> >>> >>> Can someone tell me or show me where in the guide it show where it's >>> supposed to go? >>> >>> This is what my kickstart looks like: >>> >>> ------------------------------------- >>> %post --nochroot >>> cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml >>> /root/openscap_data/ >>> >> >>> >>> %addon org_fedora_oscap >>> content-type = scap-security-guide >>> profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa >>> >> >> One thing to note is that the profile to use here should be the one >> created in the tailoring file. >> >> tailoring-path=ssg-rhel7-ds-tailoring.xml >>> %end >>> ------------------------------------- >>> >>> >>> Thanks for all the work...this is a great project. >>> _______________________________________________ >>> scap-security-guide mailing list -- >>> [email protected] >>> To unsubscribe send an email to >>> [email protected] >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >> >> >> -- >> Watson Sato >> Security Technologies | Red Hat, Inc >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> _______________________________________________ >> scap-security-guide mailing list -- >> [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > > > -- > Watson Sato > Security Technologies | Red Hat, Inc > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
